For this post, I would like to share the knowledge and skills that I just acquire by doing this machine. Attacktive Directory is an old machine and there might already have a lot of walkthrough on this machine out there.
To be frankly honest, I didn’t have the knowledge on how to do Penetration Testing or Security Testing on Active Directory where it normally uses Domain Controller on its infrastructure. So, this room will be my first encounter in this environment
As mentioned in the screenshot above, this room was been created by Sq00ky and this room also have been released around 396 days ago.
As usual, we need to deploy the machine by clicking the deployed machine as shown above.
For the first task, we are required to download the tools that will be used in this activity.
In order to download and install the tool into our machine, we need to use the command
git clone https://github.com/Sq00ky/attacktive-directory-tools.git
Once the download completed, you will give permission to the Kerberos tools that located inside the attacktive-directory-tools folder as shown below:
While looking at what we got in this attacktive-directory-tools folder, we are lucky to have impackets been include as well.
So, Let’s install impackets too while we’re in it. We will be starting by unzipping the impacket-master.zip and move the unzipped folder to /opt/ directory
After the unzip progress finish, you will need to do some install on the requirement by running the command as follows:
pip3 install -r /opt/impacket-master/requirement.txt
After the python modules have been successfully installed in the machine, we can start the python by execute the python script such as below:
cd /opt/impacket-master/ && python3 ./setup.py install
Once all the installation above been completed, we can start gathering information on the machine by running nmap -sV -sC <IP Address> -pn as usual
From the output that we see, we can see that NetBIOS_Domain_Name is THM-AD and DNS_Domain_name is spookysec.local. Aside of that, we also know the NetBIOS_Computer_Name which is ATTACKTIVEDIREC
We can already answer a few question that required us to answer based on the nmap result above.
What tool will allow us to enumerate port 139/445?
To answer the question mentioned above, there’s a lot of tools that we can use just to enumerate port 139/445. Those tools are as follows:
- enum4linux (This will be the answer for this question)
For the upcoming question for this activity, we might need to use kerbrute by running ./kerbrute
To get the username of the machine can used the command
./kerbrute userenum –dc <IP Address> -d spookysec.local userlist.txt -t 100
From what i can digest on the result, there’s two notable username that we can use here which is email@example.com and firstname.lastname@example.org
After the user account information gathering is completed, we can use the attack method that resides inside Kerberos features which called AS-REP Roasting where you can later see the output of this. Now, we know the user and we only need to gain password for the svc-admin.
For this activity, we are lucky because Impacket has a tool called “GetNPUsers.py which will help us to query AS-Reproastable accounts from the Key Distribution Center.
The command that we can use here are
GetNPUsers.py -no-pass -dc-ip <IP Address> spookysec.local/svc-admin
The output didn’t show anything that we can see because i have saved the output in .txt format so that we can use the it when we use hashcat
The screenshot below shown the result that we have successfully execute above
There’s a question about the hash mode. Let’s do some research on this.
The first website link that we should be looking into which it might help answer the question
Let’s open the website together!
Wow! There’s a lot of hash-mode that stored in the website.
What are we looking for?
This is my first time doing research on hashmode. So, Let’s moving on into the next challenge in this room.
We have most of the requirement to run the hashcat on this room. The command we be using on hashcat would
hashcat -m 18200 -a 0 svc-admin.txt passwordlist.txt –force
Now, we got the password for the username svc-admin
We will need to get the SMB share on the machine by running the command
smbclient -l <IP Address> -U ‘svc-admin’
The system will be asking for credentials of svc-admin where we already get the credentials in the previous task.
As we can see on the screenshot above, we can verify that SMB share been listed as follows:
There’s one SMB share that caught my attention which is backup. So let’s dive into that by running the command
smbclient //<IP Address>/backup -U ‘svc-admin’
To view the file that resides in this Backup directory can use the command “ls”
Let’s download the backup_credentials.txt and analysis the file by use the command get backup_credentials.txt
Let’s check what is written inside the backup_credentials.txt by running the syntax
On first glance, we notice that it was base64 hash. So, let’s go and run base64 -d backup_credentials.txt
For the next question, we need to use ‘secretdump.py’ that inside the impacket-master/example folder
For us to answer about the method use to get NTS.DIT and NTLM hashes for the administrator, we need to run the syntax
secretdump.py -just-dc backup:backup2517860@<IP Address>
Honestly, i don’t know the answer for the question below.
Q3 — What method of attack could allow us o authenticates as the user without the password?
In order to use evil-winrm, the option that we can use to crack hash is -H
Finally, we are doing the last challenge on this room.
To pass this challenges, we will need to use the tools evil-winrm.
The command that we be using here evil-winrm -i <IP Address> -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
*Hashes might be different for other players
For each user, we need to access /user account/Desktop in order to retrieve the flag
Happy Learning Guys!